Security translation

merge-requests/85/head
Aleix Quintana Alsius 2023-04-23 17:06:55 +00:00
parent cd78248bff
commit b63cb092f9
2 changed files with 70 additions and 1 deletions

View File

@ -100,7 +100,7 @@ Before integrating a Merge Request, we need to make sure that this checklist is
- [ ] The new features which may have negative effects, only will be applied by default when operators did have enough time to disable these before. - [ ] The new features which may have negative effects, only will be applied by default when operators did have enough time to disable these before.
If any of these steps fails, we'll try to help who requested the code merging to solve the problems. If any of these steps fails, we'll try to help whoever has requested the code merge to solve the problems.
[buildbot]: https://buildbot.net [buildbot]: https://buildbot.net
[pola]: https://en.wikipedia.org/wiki/Principle_of_least_astonishment [pola]: https://en.wikipedia.org/wiki/Principle_of_least_astonishment

69
docs/security.md Normal file
View File

@ -0,0 +1,69 @@
# Security
## DD Configurations
Currently the DD has the following specific options related to security:
### Web Application Firewall (WAF) / Modsecurity
Web Application Firewall/Modsecurity can be enabled following [these instructions](waf-modsecurity.md).
### ClamAV / Antivirus
As is done when enabling [WAF](waf-modsecurity.md), `ClamAV` can be enabled setting the variable `DISABLE_CLAMAV` to `true` in `dd.conf` and running:
```sh
# Regenerate docker-compose.yml
./dd-ctl yml
# Start the container
./dd-ctl up
# Apply specific ClamAV configurations in other services
./dd-ctl personalize
```
## General system security
System security can be complex, general criteria are set out here to help protect the system.
Remember that you will have to apply your professional criteria to adapt following recommendations to your requirements.
### `dd.conf` file
This is the main system configuration, **only the system administrators** must access it! Be sure that file permissions are set according to it.
Review in new versions of DD the changes done in `dd.conf.sample` and set your `dd.conf` according to these changes.
### Firewall
As any exposed service in internet, is important to set correctly a firewall, DD only needs to be allowed the tcp ports 80/HTTP and 443/HTTPS.
One option is using `ufw` with `deny` default incoming policy, and only allow 80 and 443 over TCP.
Be careful to not disable access of ssh port if you are using it, as it will denies access to the system!
Read more about it in [SSH access](#acces-ssh).
### SSH access
Ideally, configure the firewall to deny access to all connections to port 22/SSH TCP.
If you are not using a VPN, but you have any range of public ips, you can allow access to port 22/SSH to one of these public ips.
If you are using a VPN, this is the best option. You'll need to configure in `/etc/ssh/sshd_config` the option `ListenAddress` to only allow the connection from the range of your VPN IP. Or set the firewall to only allow VPN IPs range.
### SSH authentication
**Never** use **password** when authenticating via ssh.
Always use **asymmetric keys** and, if possible, a physical security device that keeps your private key in a secure way, something like [YubiKey](https://yubico.com).
### Intrussion detection
It is recommended to deploy `rkhunter` to detect system anomalies.
You can read configuration recommendations on this [wiki][serverstats].
## Other resources
You can read more about security questions in this [public documentation][serverstats].
[serverstats]: https://gitlab.com/MaadiX/server-stats-and-check/-/wikis/en_home